Category: AlienVault

This blog was written by an independent guest blogger.

“Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street.”

Frank Dickson, Program Vice President, Cybersecurity Products at IDC

In the first installment of this blog series (Endpoint Security and Remote Work), we highlighted the need to provide comprehensive data protections to both traditional and mobile endpoints as an enabler of remote work.  In this second chapter, we’ll expand on the importance of endpoint security as one of many key elements for defining an organization’s security posture as it relates to arguably the most relevant cybersecurity issue of the day.  

Cue the ominous music and shadowy lighting as it is likely the mood for most cybersecurity professionals when considering the topic of ransomware. To the dismay of corporate executives, government and education leaders, and small business owners, ransomware is pervasive and evolving quickly.  As evidence, a recent report indicated that roughly half of all state and local governments worldwide were victim of a ransomware attack in 2021. 

However, there are important steps that can be taken along the path to digital transformation to minimize the risk associated to these attacks.  As companies consider the evolution of their strategy for combating ransomware, there are five key strategies to help with reducing the risks inherent to an attack:

1. Prevent phishing attacks and access to malicious websites

Companies must be able to inspect all Internet bound traffic from every endpoint, especially mobile, and block malicious connections.  This challenge is significantly more complex than simply inspecting corporate email.  In fact, because bad actors are highly tuned to user behavior, most threat campaigns generally include both a traditional and mobile phishing component to the attack.                                              

Bad actors are highly tuned to user behavior as they look to perpetuate their attacks and SMS/Messaging apps provide considerably higher response rates. To quantify, SMS has a 98% open rate and an average response time of just 90 seconds.   The same stats for email usage equate to a 20% open rate and 1.5-hour response time which help explain why hackers have pivoted to mobile to initiate ransomware attacks.

As a result, Secure Web Gateways (SWG) and Mobile Endpoint Security (MES) solutions need to work in concert to secure every connection to the Internet and from any device. Both SWG and MES perform similar functions specific to inspecting web traffic but they do it from different form factors and operating systems.  The data protections for SWG are primarily available on traditional endpoints (Windows, MacOS, etc.) where MTD addresses the mobile ecosystem with protections for iOS and Android.  Because ransomware can be initiated in many ways including but not limited to email, SMS, QR codes, and social media, every organization must employ tools to detect and mitigate threats that target all endpoints. 

2. Prevent privilege escalation and application misconfigurations

Another tell-tale sign of a possible ransomware attack is the escalation of privileges by a user within the organization.  Hackers will use the compromised credentials of a user to access systems and disable security functions necessary to execute their attack.  The ability of the IT organization to recognize when a user’s privileges have been altered is made possible through UEBA (User and Entity Behavior Analytics).  Many times, hackers will modify or disable security functions to allow them easier access and more dwell time within an organization to identify more critical systems and data to include in their attack.  The ability to identify abnormal behavior such as privilege escalation or “impossible travel” are early indicators of ransomware attacks and key aspects of any UEBA solution.  For example, if a user logs into their SaaS app in Dallas and an hour later in Moscow, your security staff need to be aware, and you must have tools to automate the necessary response that starts with blocking access to the user. 

3. Prevent lateral movement across applications

After the ransomware attack has been initiated, the next key aspect of the attack is to obtain access to other systems and tools with high value data that can be leveraged to increase the ransom.  Therefore, businesses should enable segmentation at the application level to prevent lateral movement.  Unfortunately, with traditional VPNs, access management can be very challenging.  If a hacker were to compromise a credential and access company resources via the VPN, every system accessible via the VPN could now be available to expand the scope of the attack. 

Current security tools such as Zero Trust Network Access prevent that lateral movement by authenticating the user and his/her privileges on an app-by-app basis.  That functionality can be extended by utilizing context to manage the permissions of that user based on many factors such which device is being utilized for the request (managed vs. unmanaged), the health status of the device, time of day/location, file type, data classification such as confidential/classified, user activity such as upload/download, and many more.  A real-world example would allow view only access to non-sensitive corporate content via their personal tablet to perform their job, but would require the data be accessed via a managed device if they were to take any action such as sharing or downloading that content.  

4. Minimize the risk of unauthorized access to private applications

It is essential for companies to ensure that corporate/proprietary apps and servers aren’t discoverable on the Internet.  Authorized users should only get access to corporate information using adaptive access policies that are based on users’ and devices’ context.  Whether these applications reside in private data centers or IaaS environments (AWS, Azure, GCP, etc.), the same policies for accessing data should be consistent. Ideally, they are managed by the same policy engine to simplify administration of an organization’s data protections.  One of the most difficult challenges for security teams in deploying Zero Trust is the process of creating policy.  It can take months or even years to tune false positives and negatives out of a DLP policy, so a unified platform that simplifies the management of those policies across private apps, SaaS, and the Internet is absolutely critical. 

5. Detect data exfiltration and alterations

A recent trend amongst ransomware attacks has included the exfiltration of data in addition to the encryption of the critical data.  In these examples, the data that was stolen was then used as leverage against their victim to encourage the payment of the ransom.  LockBit 2.0 and Conti are two separate ransomware gangs notorious for stealing data for the purposes of monetizing it and at the same time using it to damage the reputation of their targets.

Hence, companies must be able to leverage the context and content-aware signals of their data to help mitigate malicious downloads or modifications of their data.  At the same time, it is just as important that these signals travel with the files throughout their lifecycle so that the data can be encrypted when accessed via an unauthorized user, thereby preventing them from being able to view the content.  Enterprise Data Rights Management and DLP together can provide this functionality that serves as an important toolset to combat ransomware attacks by minimizing the value of the data that is exfiltrated. 

It should also be noted that this functionality is just as important when considering the impact to compliance and collaboration.  Historically, collaboration has been thought to increase security risk, but the ability to provide data protections based on data classification can dramatically improve a company’s ability to collaborate securely while maximizing productivity.

As stated above, there is considerably more to preventing ransomware attacks than good endpoint security hygiene.  With the reality of remote work and the adoption of cloud, the task is significantly more challenging but not impossible.  The adoption of Zero Trust and a data protection platform that includes critical capabilities (UEBA, EDRM, DLP, etc.) enables companies to provide contextually aware protections and understand who is accessing data and what actions are being taken…key indicators that can be used to identify and stop ransomware attacks before they occur.  

For more information regarding how to protect your business from the perils of ransomware, please reach out to your assigned AT&T account manager or click here to learn more about how Lookout’s platform helps safeguard your data.

This is part two of a three-part series, written by an independent guest blogger. Please keep an eye out for the last blog in this series which will focus on the need to extend Endpoint Detection and Response capabilities to mobile.

The post 5 ways to prevent Ransomware attacks appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Despite years of industry efforts to combat insider threats, malicious behavior can still sometimes be difficult to identify. As organizations work towards building a corporate cyber security culture, many have begun looking into zero-trust architectures to cover as many attack surfaces as possible.

This action is a step in the right direction, but it also has the potential to raise fears and generate negative responses from employees. Zero-trust security could instill demotivation and resentment if taken as a sign of poor faith and mistrust, accelerating turnover rates and bringing the Great Resignation to a peak. 

How can an organization effectively navigate zero-trust without creating friction among employers and employees? In addition, how can they get there without holding trust-building exercises as part of an in-office environment?

Why trust matters in modern business environments

The security perimeter is no longer a physical location in a modern enterprise; it is a set of access points dispersed in and delivered from the cloud. In addition to identity, the authorization model should factor in the sensitivity of the data, the source location of the request, reliability of the endpoint, etc. The use of multiple cloud platforms and a growing number of endpoints can massively expand the attack surface.

The foundation of zero-trust security starts by eliminating the word trust. Criminals today don’t break into network perimeters; they log in with stolen credentials and then move laterally across the network, hunting for more valuable data. Protecting the path from identity to data is crucial – this is at the heart of an ID-centric zero-trust architecture. To do so, security teams should:

• Validate the user
• Verify the device
• Limit access and privilege

The layers that connect identity to data play essential roles in sharing context and supporting policy enforcement. A zero-trust architecture is continuously aware of identity and monitors for a change in context.

A new memorandum by the United States Government Office of Management and Budget (OBM) outlines why zero-trust architecture is crucial to securing web applications that are relied on daily. The SolarWinds attack reminds us that supply chain security is vital, and the recent Log4Shell incident also highlights how crucial effective incident response is, so finding a way to an improved security posture is imperative.

However, zero-trust does not mean encouraging mistrust through the organization’s networks, and companies should not have to rely on technologies alone for protection. When it is a team effort, security is best applied, and successful zero-trust depends on a culture of transparency, consistency, and communication across the whole organization. But how can organizations achieve this?

The two pillars of building (Zero) Trust

When building zero-trust in any organization, two key pillars must be considered – culture and tools.

As companies begin implementing zero-trust, they must also integrate it into their culture. Inform employees what’s going on, what the process of zero-trust entails, how it impacts and benefits them and the company, and how they can support the zero-trust process. By engaging employees and challenging them to embrace skepticism towards potential threats, businesses are planting the seeds of security across their organizational ecosystem. Once employees understand the value of zero-trust, they also feel trusted and empowered to be part of the broader cybersecurity strategy.

Once zero-trust has been implemented at the core of an organization’s cybersecurity culture, the next step is to apply best practices to implement zero-trust. There are several measures that organizations can take, including:

• Use strong authentication to control access.
• Elevate authentication.
• Incorporate password-less authentication.
• (Micro)segment corporate network.
• Secure all devices.
• Segment your applications.
• Define roles and access controls.

Although Zero-Trust is technology agnostic, it is deeply rooted in verifying identities. One of the first steps is identifying the network’s most critical and valuable data, applications, assets, and services. This step will help prioritize where to start and enable zero-trust security policies to be created. If the most critical assets can be identified, organizations can focus their efforts on prioritizing and protecting those assets as part of their zero-trust journey.

The use of multi-factor authentication is crucial here. It is not a case of if to use it, but when. Phishing-resistant MFA can’t be compromised even by a sophisticated phishing attack, which means the MFA solution cannot have anything that can be used as a credential by someone who stole it. This includes one-time passwords, security questions, and imperceptible push notifications.

The challenge of implementing zero-trust

One essential problem that most enterprises are dealing with is the issue of fragmented IAM. As a result, zero-trust implementation is fraught with high complexity, risks, and costs.

The key reason behind this problem is that organizations are operating multiple identity security silos. In fact, the Thales 2021 Access Management Index report indicates that 33% of the surveyed organizations have deployed three or more IAM tools. Coordinating that many systems can, at a minimum, create operational complexity, but it can also increase the risk of fragmented security policies, siloed views of user activity, and siloed containment.

A zero-trust culture should help enterprises with IAM silos to move towards a standardized zero-trust security model, with standardized security policies and adjustments orchestrated from a central control panel across underlying silos. The process should provide insights on security policy gaps and inconsistencies and recommend security policy adjustments based on zero-trust security principles.

Conclusion

A zero-trust approach to security is to cover all attack surfaces and protect organizations, but they mean nothing without people using them appropriately. Aligning company success and security with employee success and security is crucial. Deploying a centralized IAM solution that covers all attack surfaces ensures optimal protection and helps build confidence in a zero-trust business and computing environment.

The post Building trust in a Zero-Trust security environment appeared first on Cybersecurity Insiders.

Cyberattacks are alarming, and establishments must increase protections, embrace a layered attitude, and cultivate security-conscious users to combat growing concerns.

Cybersecurity leaders are being inundated with talent development resources offered, encompassing hiring, recruitment, and retention of the talent pipeline. Fifty percent of hiring managers typically deem that their candidates aren’t highly qualified. Globally, the cybersecurity professional shortage is estimated to be 2.72 million based on findings in the 2021 (ISC)2 Cybersecurity Workforce Study & ISACA State of Cybersecurity 2021 Survey.

The cybersecurity workforce demand is a standing boardroom agenda for CISOs and senior executive constituents. CISOs must work collaboratively alongside human resources to solve talent pipeline challenges.

A Cyber Seek 2021 assessment indicates 597, 767 national cybersecurity job openings; thus, assertively, organizations must address this immediate disparity through consensus-building, diversity of thought, and out-of-the-box thinking. CISOs must evaluate their current hiring practices, transform ideal-to-actual job descriptions, and scrutinize their HR/organizational culture to remove aggressive tendencies and embrace a more forward-leaning, authentic, and autonomous culture.

Talent development is considered the cornerstone to increasing diversity-infused candidates into the cybersecurity pipeline. Based on my experience, I have adopted a three-prong attack strategy to cultivate a unique palette of experience and knowledge to ascertain a solid talent-rich team.

This goes beyond the outdated mentality of third-party partnerships to lean on certificates, degrees, professional associations, and internship/fellowship programming to acquire unique talent. This approach, combined with interview preparation and stretch assignments, creates real-time, mutually beneficial skills for current team members.

Lastly, providing opportunities to showcase my employees’ newfound skills through conferences (internal/external), community engagements, and immersive responsibilities provide hands-on experiences & shadowing opportunities. This helps to level up knowledge transfer and strengthen mentorship/sponsorship programs that create a more synergistic, follow-then-lead approach to build the talent pipeline.

As a transformational leader, it is paramount to change current hiring practices to further reach untapped talent inside and outside the organization using my three-prong attack strategy:

1. Go where the talent is located. Seek talent that has the drive, ambition, and tenacity to level themselves up through self-driven, multipronged vectors and consequently are thirsty and self-motivated.

2. Survey current hiring practices to identify the talent gaps. (Who? Where? Why? When? What?  & How?). Build a diverse talent pipeline and create new partnerships that are currently serving the population previously identified in the gap analysis.

3. “Try before you buy” mentality. Increase credibility and employee confidence through stretch assignments, mentorships/sponsorships, and leadership development tasks to align employees with exposure and insight before leaping to a new role.

My guiding principles lead me to ignite my employees' inner authenticity and emotional intelligence to provide a team-oriented, future-oriented culture. This culture relies heavily on an in-group collectivism mindset to tap into “their inner leader.” Deeply coupled partnerships operate from a customized driver/navigator paradigm to provide an inclusive, autonomous environment.

In my experience, cybersecurity job descriptions primarily tend to be too inelastic. The panic-stricken job descriptions can turn away competent, qualified, and dedicated applicants. Plus, many highly qualified individuals do not have college degrees nor have attended boot camps or completed traditional security training that would be excellent security candidates.

Moreover, career changers are a large part of the untapped real estate that possess lucrative, diverse skillsets (i.e., lawyers, teachers, and librarians). Hiring candidates with the desire, passion, and willingness to learn or self-hone their skills should be treasured and respected.  Pioneering thought leadership is vital to building an above-board Diversity, Equity, and Inclusion (DEI) focused organization to complement current best practices interlaced with a meet-them-where-they-are mentality to cultivate good results.

The post Challenges that impact the Cybersecurity talent pipeline appeared first on Cybersecurity Insiders.

If your organization is having trouble creating policies, I hope that this blog post will help you set a clear path. We’ll discuss setting up your organization up for success by ensuring that you do not treat your policies as a “do once and forget” project. Many organizations I have worked with have done that, but later realized good policy lifecycle is required, and a pillar of good governance.

Organizations often feel that developing and enforcing policies is bureaucratic and tedious, but the importance of policies is often felt when your organization does not have them. Not only are they a cost of doing business, but they are also used to establish the foundation and norms of acquiring, operating, and securing technology and information assets.

The lifecycle, as it implies, should be iterative and continuous, and policies should be revisited at a regular cadence to ensure they remain relevant and deliver value to your business.

 Assess

The first step is to find out where your organization is, this step should shine a light on where, and what gaps exist.

First, determine how you will be assessing your policies; here is a checklist, whether you are building new ones or bringing current ones up to date:

• Is it current and up to date
• Does it have a clear purpose or goal
• Does it have a clear scope (inclusions /exclusions)
• Does it have a clear ownership
• Does it have a clear list of affected people
• Does it have language that is easy to understand
• Is it detailed enough to avoid misinterpretations
• Does it follow the laws/regulations/ethical standards
• Does it reflect the organizational goals/values and culture
• Are key terms and acronyms defined
• Have related policies and procedures been identified
• Are there clear consequences for non-compliance
• Is it approved and supported by management
• Is it enforceable

Next, inventory your organization’s policies by listing them and then assessing the quality using the previous list. Based on the quality, identify if your organization needs new policies or if the existing ones need improvement, then determine the amount of work that will be required.

Best practices suggest that you may want to prioritize your efforts on the most significant improvements, those that focus on the most serious business vulnerabilities.

Understand that policy improvement does not end with a new policy document. You will need to plan for communications, training, process changes, and any technology improvements needed to make the policy fair and enforceable.

Develop

After the assessment is done, you should plan on developing your policies or revamping the old ones. Although there is no consensus on what makes a good policy, referenced material [1] [2] [3] [4] suggests the following best practices, policies should have a clear purpose and precise presentation that drives compliance by eliminating misinterpretations;

All policies should include and describe the following:

• Purpose
• Expectations
• Consequences
• Glossary of terms

For maximum effect, policies should be written:

• With everyday language
• With direct and active voice
• Precisely to avoid misinterpretation
• Realistically
• Consistently in keeping with standards

Consider that policies need to be actively sold to the people who are supposed to follow them. You can achieve that by using a communication plan that includes:

• Goals and objectives
• Key messages
• Potential barriers
• Suggested actions
• Budget considerations
• Timelines

Enforcement

A lack of enforcement will create ethical, financial, and legal risks to any organization. Among the risks are loss of productivity due to abuse of privileges, potential wasted resources, and loss of reputation if an employee engages in illegal activities due to poor policy enforcement, which can lead to potential litigation. Make sure that you have clear rules of engagement.

Your organization should establish the proper support framework around Leadership, Process, and Monitoring. Policies should perform against standards. Policies don't always fail due to bad behavior; they fail because:             

• They are poorly written
• There is no enforcement
• They are illegal or unethical
• They are poorly communicated
• They go against company culture

If your company feels overwhelmed thinking about all the moving pieces that make up an IT Policy Management Lifecycle. Let AT&T Cybersecurity Consulting help whether you need to amend existing policies, implement one or more brand new policies, or need a complete overhaul of the entire policy portfolio.

References

1) F. H. Alqahtani, “Developing an Information Security Policy: A Case Study Approach,” Science Direct, vol. 124, pp. 691-697, 2017.

2) S. Diver, “SANS White Papers,” SANS , 02 03 2004. [Online]. Available: https://www.sans.org/white-papers/1331/. [Accessed 15

3) S. V. Flowerday and T. Tuyikeze, “Information security policy development and implementation: The what, how, and who,” Science Direct, vol. 61, pp. 169-183, 2016.

4) K. J. Knapp, R. F. Morris, T. E. Marshall and T. A. Byrd, “Information security policy: An Organizational level process model,” Science Direct, vol. 28, no. 7, pp. 493-508, 2007.

The post How to create a continuous lifecycle for your IT Policy Management appeared first on Cybersecurity Insiders.

Introduction

Since my previous blog CMMC Readiness was published in September 2021, the Department of Defense (DoD) has made modifications to the program structure and requirements of the Cybersecurity Maturity Model Certification (CMMC) interim rule first published in September 2020.  CMMC 2.0 was officially introduced in November 2021 with the goal of streamlining and improving CMMC implementation.

In this blog, I will identify the key changes occurring with CMMC 2.0 and discuss an implementation roadmap to CMMC readiness.

Key changes

Key changes in CMMC 2.0 include:

• Maturity Model reduced from 5 compliance levels to 3
  • Level 3 – Expert
  • Level 2 – Advanced (old Level 3)
  • Level 1 – Foundational
• Improved alignment with National Institute of Standards and Technology (NIST)
  • NIST SP 800-171
  • NIST SP 800-172
• Practices reduced from 130 to 110 for Level 2 Certification
• Independent assessment by C3PAO at Level 2 – Advanced
• Self-assessment at Level 1 – Foundational, limited at Level 2 – Advanced
• Removed processes (ML.2.999 Policy, ML.2.998 Practices, and ML.3.997 Resource Plan)

Figure 1. CMMC Model

Source: Acquisition & Sustainment – Office of the Under Secretary of Defense

CMMC requirements at Level 1 and Level 2 now align with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  This alignment should be beneficial to most DIB organizations since they have been subject to FAR 52.204-21 or DFARS 252.204-7012 and should have been self-attesting to NIST SP 800-171 practices whether it be the 17 NIST practices required for those handling only FCI or the 110 NIST practices for those handing FCI and CUI.  Those organizations that took self-attestation seriously over the years should be able to leverage the work they have previously performed to place themselves in a strong position for CMMC certification.

CMMC 2.0 may have dropped the three Processes (ML.2.999 Policy, ML.2.998 Practices, and ML.3.997 Resource Plan), but that does not eliminate the requirement for formal security policies and control implementation procedures.  CUI security requirements were derived in part from NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).  The tailoring actions addressed in Appendix E of NIST SP 80-171R2 specify that the first control of each NIST SP 800-53 family (e.g., AC-1, AT-1, PE-1, etc.), which prescribe written and managed policies and procedures, are designated as NFO or “expected to be routinely satisfied by nonfederal organizations without specification”.  This means that they are required as part of the organization’s information security management plan and are applicable to the CUI environment.  Refer to Appendix E for other NIST SP 800-53 controls that are designated as NFO and include them in your program.

Implementation roadmap

Although there have been welcomed changes to the structure of CMMC, my recommended approach to implementation first presented last September has changed little.  The following presents a four-step approach to get started down the road to CCMC Level 2 certification. 

Education

I cannot stress the importance of educating yourself and your organization on the CMMC 2.0 requirements.  A clear and complete understanding of the statute including the practice requirements and the certification process is critical to achieving and maintaining CMMC certification.  This understanding will be integral to crafting a logical, cost-effective approach to certification and will also provide the information necessary to effectively communicate with your executive leadership team. 

Start your education process by reading the CMMC 2.0 documents relevant to your certification level found at OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil).

• Cybersecurity Maturity Model Certification (CMMC) Model Overview Version 2.0/December 2021 – presents the CMMC model and each of its elements
• CMMC Model V2 Mapping Version 2 December 2021 – Excel spreadsheet that presents the CMMC model in spreadsheet format.
• CMMC Self-Assessment Scope – Level 2 Version 2 December 2021 – Guidance on how to identify and document the scope of your CMMC environment.
• CMMC Assessment Guide – Level 2 Version 2.0 December 2021 – Assessment guidance for CMMC Level 2 and the protection of Controlled Unclassified Information (CUI).

Define

The CMMC environment that will be subject to the certification assessment must be formally defined and documented.    The first thing that the CMMC Third-Party Assessor Organization (C3PAO) engaged to perform the Level 2 certification must do is review and agree with the CMMC scope presented by the DIB organization.  If there is no agreement on the scope, the C3PAO cannot proceed with the certification assessment. 

Scope

CMMC environment includes all CUI-related associated assets found in the organization’s enterprise, external systems and services, and any network transport solutions.  You should identify all of  the CUI data elements that are present your environment and associate them with one or more business processes.  This includes CUI data elements provided by the Government or a Prime Contractor, as well as any CUI created by you as part of the contract execution.  Formally document the CUI data flow through each business process to visualize the physical and logical boundaries of the CMMC environment.  The information gleaned during this process will be valuable input to complete your System Security Plans (SSPs).

Not sure which data elements are CUI?  Work directly with your legal counsel and DoD business partner(s) to reach a consensus on what data elements will be classified as CUI.   Visit the NARA website at (Controlled Unclassified Information (CUI) | National Archives) for more information concerning the various categories of CUI.   Ensure that the classification discussions held by the team and any decisions that are made are documented for posterity. Do not forget to include CUI data elements that are anticipated to be present under any new agreements.

Figure 2. High-Level CMMC Assessment Scope

Based on image from CMMC Assessment Scope – Level 2 Version 2.0 | December 2021

During the scoping exercise, you should look for ways to optimize its CMMC footprint by enclaving CUI business processes from non-CUI business processes through physical or logical segmentation.  File and database consolidation may be helpful in reducing the overall CMMC footprint, as well as avoiding handling CUI that serves no business purpose.

GCC v GCC High

Heads up to those DIB organizations that utilize or plan to utilize cloud-based services to process, store, or transit CUI. The use of cloud services for CUI introduces the GCC vs. GCC High considerations.  The GCC environment is acceptable in those instances where only Basic CUI data elements are present.  GCC High is required if CUI-Specified or ITAR/EAR designated data elements are present.  In some instances, prime contractors that utilized GCC High may require their subcontractors to do the same.

Asset Inventory

Asset inventory is an mandatory and is an important part of scoping.  The table below describes the five categories of CUI assets defined by CMMC 2.0.

Asset	Description
CUI	Assets that process, store, or transmit CUI
Security Protection	Assets that provide security functions or services to the contractor’s CMMC scope.
Contractor Risk Managed	Assets that can, but are not intended to process, store, or transmit CUI due to security controls (policies, standards, and practices) put in place by the contractor.
Specialized	Special group of assets (government property, Internet of Things (IoT), Operational Technology (OT), Restricted Information Systems, and Test Equipment) that may or may not process, store, or transmit CUI.
Out-Of-Scope	Assets that cannot process, store, or transit CUI because they are physically or logically separated from CUI assets.

DIB contractors are required to formally document all CUI assets in an asset inventory as well as in their SSPs.  There are no requirements expressed for what information is to be captured in the inventory, but I would recommend in addition to capturing basic information (i.e., serial numbers, make, models, manufacturer, asset tag id, and location) you consider mapping the assets to their relevant business processes and identify asset ownership.   Owners should be given the responsibility for overseeing the appropriate use and handling of the CUI-associated systems and data throughout their useful lifecycles.  An asset management system is recommended for this activity, but Microsoft Excel should be adequate for capturing and maintaining the CUI inventory for small to midsize organizations.

Figure 3. Asset Inventory

Assess

Once you have your asset inventories completed and your CMMC scope defined, it’s time to perform a gap analysis to determine your security posture alignment with CMMC requirements.  If you have been performing your annual self-attestation against NIST SP 800-171, you can leverage this work but be sure to assess with greater rigor.  Consider having a CMMC Registered Practitioner from a third-party provider perform the assessment since will provide an unbiased opinion of your posture.  The results of the gap assessment should be placed into a Plan of Action and Milestones (POAM) where you will assign priorities, responsibilities, solutions, and due dates for each gap requiring corrective action.

Remediate

Finally, use the POAM to drive the organizations remediation efforts in preparation for CMMC certification.  Remember that if you contract 3rd-party services as part of remediation (e.g., managed security services, cloud services, etc.) those services become part of your CMMC scope.  Consider performing a second posture assessment after remediation efforts are complete to ensure you are ready for the certification assessment by the C3PAO.  CMMC certification is good for 3 years, so be sure to implement a governance structure to ensure your program is positioned for recertification when the time comes.

Conclusion

I hope this implementation roadmap provides a benefit to you on your CMMC Level 2 certification journey.  Keep in mind, there are no surprising or unusual safeguards involved in the process as CMMC requirements align with industry best practices for cybersecurity.  As with any strong information security program, it is critical that you fully understand the IT environment, relevant business processes, and data assets involved.  As we like to say in cybersecurity, “you can’t protect an asset if you don’t know what it is or where it’s at”.  Completing the upfront administrative work such as education, scope, and inventory will pay dividends as you progress toward independent certification.

The post CMMC 2.0: key changes appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The Domain Name System (DNS) is an important tool that connects devices and services together across the Internet. Managing your DNS is essential to your IT cybersecurity infrastructure. When poorly managed, DNS can become a huge landscape for attackers.

Nonetheless, when properly configured, DNS is a key line of defense against cyber threats for your organization. DNS filtering is an essential component of business cybersecurity. The best part about DNS filtering is that it is simple and effective to implement. Think of DNS filtering as another component in building a secure network. Implementing a DNS web filtering solution will protect your network in many different ways.

In this article, we’ll discuss how DNS systems work and how DNS filtering works. Then we’ll take a look at how DNS filtering can improve the security of your network. Finally, we’ll take a look at some of the other issues you might face with your DNS system.

DNS filtering to improve security

What is the Domain Name System (DNS)?

The Domain Name System, abbreviated DNS, is a tech solution for matching domain names (also called web addresses) to IP addresses, like 192.168.1.1. DNS is useful because it allows you to access the web without memorizing IP addresses. If you’re old enough, you might remember memorizing all of your friends’ telephone numbers, but today most people don’t bother.

How does DNS work?

DNS works by taking a web address and then matching it to the right IP. 

1. When you open a web browser (like Safari or Firefox), you typically type in a web address, like www.att.com, into the address bar. The browser then sends a DNS query to a specialized web server called a DNS resolver.
2. The DNS resolver then checks for an IP that matches the name you type into the web browser. It does this by either checking additional DNS servers or by checking its own cache.
3. Third, the DNS resolver “resolves” the domain by sending a reply to the user’s web browser with the correct IP address.
4. Finally, the user’s web browser contacts the server at the IP address that the DNS resolver looked up to establish a connection and load the web page.

Why is DNS so important?

The DNS system is essential to be able to access the web. Unless you have the web addresses of all your favorite websites memorized, you can’t load any web content before the DNS resolution process occurs. As a result, DNS filtering is a smart, effective way of enhancing security.

Furthermore, today web security is a top priority for businesses. This is because cybersecurity is no longer just an IT issue, but it’s a practical business issue as well.

How does DNS filtering work?

Because all DNS queries go to a DNS resolver, DNS resolvers can also be used as a filter to block malicious activity. For instance, a specially configured DNS resolver can refuse to resolve queries for certain domains that are listed on a private or publicly-maintained blocklist (sometimes called a blacklist). 

Similarly, for even greater and enhanced security, DNS resolvers can also be configured to only permit access to the web through an allowlist (or whitelist). An allowlist is a list of websites that users are permitted to access. Any attempts to visit unauthorized websites will prevent the page from loading.

For example, imagine an employee browsing Facebook at work. The employee comes across a Facebook post with a link to win $1,000,000, so they never have to work again. When the employee clicks the link, the query is first sent to a DNS resolving service. The service compares the link to a list of unapproved websites. If it turns out that the link is to an unauthorized website, the DNS resolver will block the request.

As it turns out, in this scenario, the $1,000,000 prize was actually a phishing attempt, and the request is blocked. This is one way that you can configure DNS filtering services.

Bring phishing attacks and inappropriate browsing to a halt

A blocklist isn’t just for stopping phishing attacks. A blocklist can list harmful domains and IP addresses that are curated by the cybersecurity community or are maintained by your own cybersecurity team. Consider joining OTX, the Open Threat Exchange, where you can stay up to date on the latest developments in emergent cybersecurity threats.

In some cases, DNS filters are automated, where they will check websites for malicious code. Often, JavaScript is a primary culprit for these types of malicious websites. When malicious code is detected, the website and IP address are automatically added to the blocklist.

As a plus, DNS filtering can also be used to block objectionable content. A common way this is done is by blocking adult content. Unsurprisingly, these websites frequently contain malware and cause other security concerns, so they are probably best blocked anyway. DNS filtering is often used in conjunction with a firewall to enhance security protections.

Block malware with secure DNS servers

Malware is a type of software designed to execute bad code that steals information or takes control of a user’s device. Using secure DNS servers is one way to enhance security and prevent malware from taking hold. Secure DNS servers can also enhance the privacy of user data. Cloudflare, a popular web hosting backup service, offers a DNS resolving service called 1.1.1.1 that wipes all of its DNS query logs after 24 hours.

In order to increase security, it’s recommended that you enable several additional security tools when utilizing DNS resolution services. DNSSEC is a protocol that verifies DNS resolver information and makes sure they have not been compromised by an attacker.

Additional protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt your DNS queries and replies. Encrypting DNS queries is vital because it prevents attackers from analyzing your queries and tracking which websites your users visit. When used in conjunction with threat monitoring and detection, your security will be a step above everyone else.

Stop DNS spoofing

A final form of DNS security to be aware of is DNS spoofing. DNS spoofing is sometimes called cache poisoning. When a computer takes data from a cache (a saved index), it does not know if the IP has changed since the last time a website was visited. If that’s the case, a computer can maliciously change values in a cache and redirect users to malicious websites. 

DNS spoofing is done using malicious software like Ettercap, dns2proxy, SSLStrip+, and others. In some cases, hackers gain access using a user’s computer. When they do, the hackers gain access to the DNS cache and manipulate the addresses.

Preventing DNS spoofing is easy if you utilize a secure DNS service. Additionally, preventing users from phishing attempts also helps increase security.

Use multiple forms of protection

DNS filtering is just one step in building a cybersecurity defense net. Cybersecurity is all about identifying potential threat vectors and eliminating them. Remember, there are plenty of other dangers to educate yourself and be aware of, whether it’s e-mail security to potential threats from hackers and malware. Grab AT&T’s latest cybersecurity insights report to learn more about the latest issues in cybersecurity.

Additional thought: try using tools such as GetWeave to find out what people are saying online about the security of your business.

The post How DNS filtering can help protect your business from Cybersecurity threats appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

One of the most prevalent threats today, facing both organizations and individuals alike, is the use of ransomware. In 2021, 37% of organizations said they were victims of some type of ransomware attack. Ransomware can render large amounts of important data inaccessible nearly instantly. This makes reacting to potential ransomware events in a timely and accurate manner extremely important. Utilizing an endpoint security tool is critical to  help mitigate these threats. However, it is vital to maintain vigilance and situational awareness when addressing these threats, and not rely solely on one piece of information when performing analysis.

The AT&T Managed Extended Detection and Response (MXDR) analyst team received an alarm stating SentinelOne had detected ransomware on a customer’s asset. The logs suggested the threat had been automatically quarantined, but further analysis suggested something more sinister was afoot. The same malicious executable had been detected on that asset twice before, both times reportedly being automatically quarantined. This type of persistent malware can be an indicator of a deeper infection such as a rootkit. After a more in-depth analysis and collaboration with the customer, the decision was made to quarantine and power off the asset, and replace the asset entirely due to this persistent malware.

Initial alarm review

Indicators of Compromise (IOC)

The initial SentinelOne alarm alerted us to an executable ‘mssecsvc.exe’:

The name of the executable as well as the file path is cleverly crafted to imitate a legitimate Windows program.

Expanded investigation

Events search

Searching events for the file hash revealed it had been repeatedly detected on the same asset over the last 2 weeks. In each instance the event log reports the executable being automatically quarantined by SentinelOne.

Additionally, a search in USM Anywhere revealed two previous investigations opened for the same executable on the same asset. In both previous investigations the customer noted SentinelOne had automatically quarantined the file but did not take any further action regarding the asset.

Event deep dive

In the new instance of this alarm the event log reports SentinelOne successfully killed any processes associated with the executable and quarantined the file.

 

This may lead one to believe there is no longer a threat. But the persistent nature of this file raises more questions than the event log can answer.

Reviewing additional indicators

It is important to not rely on a single piece of information when assessing threats and to go beyond just what is contained in the logs we are given. Utilizing open-source threat intelligence strengthens our analysis and can confirm findings. Virus Total confirmed the file hash was deemed malicious by multiple other vendors.

The executable was also analyzed in JoeSandbox. This revealed the file contained a device path for a binary string ‘FLASHPLAYERUPDATESERVICE.EXE which could be used for kernel mode communication, further hinting at a rootkit.

Response

Building the investigation

Despite the event log suggesting the threat had been automatically quarantined, the combination of the repeat occurrence and the findings on open-source threat intel platforms warranted raising an investigation to the customer. The customer was alerted to the additional findings, and it was recommended to remove the asset from the network.

The customer agreed with the initial analysis and suspected something more serious. The analysts then searched through the Deep Visibility logs from SentinelOne to determine the source of the mssecsvc.exe. Deep Visibility logs allow us to follow associated processes in a storyline order. In this case, it appears the ‘mssecsvc.exe’ originated from the same ‘FlashPlayerUpdateService.exe’ we saw in the JoeSandbox analysis. Deep Visibility also showed us that mssecsvc.exe had a Parent Process of wininit.exe, which was likely to be the source of persistence.

Customer interaction

Another notable feature of USM Anywhere is the ability to take action from one centralized portal. As a result of the investigation, the analysts used the Advanced AlienApp for SentinelOne to place the asset in network quarantine mode and then power it off. An internal ticket was submitted by the customer to have the asset replaced entirely.

Limitations and opportunities

Limitations

A limiting factor for the SOC is our visibility into the customer's environment as well as what information we are presented in log data. The event logs associated with this alarm suggested there was no longer a threat, as it had been killed and quarantined by SentinelOne. Taking a single instance of information at face value could have led to further damage, both financially and reputationally. This investigation highlighted the importance of thinking outside the log, researching historical investigations, and combining multiple sources of information to improve our analysis.

The post Stories from the SOC – Persistent malware appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Cybersecurity is a complex task that is never complete. It’s an ongoing proactive practice of securing, monitoring, and mitigating threats. It’s a constant cycle where threats and vulnerabilities are detected, teams investigate and mitigate any issues, then network cybersecurity systems are reinforced to combat the next potential threat. 

Business operations increasingly rely on numerous devices and digital tools to accomplish daily tasks. Laptops, smartphones, desktops, business applications, and software are used to protect sensitive data in an era of remote and hybrid working options. In today’s world, business endpoint security is an absolute requirement to prevent costly breaches. 

There’s no question that cybersecurity should be a number one focus for businesses that want to keep growing. But it’s challenging to improve and scale cybersecurity efforts in an environment that is constantly changing, with new threats and technologies constantly being developed. To make things worse, the cybersecurity labor crisis only intensifies. 

If your organization is struggling to maintain adequate cybersecurity personnel with the necessary knowledge and expertise to protect your organization’s most valuable assets, then look at these tips to help your company stay ahead of the cybersecurity labor crisis and keep growing your business. 

What is the cybersecurity labor crisis?

As the demand for cybersecurity services increases, the number of knowledgeable cybersecurity professionals looking for full-time employment dwindles. The US Bureau of Labor Statistics expects “IT security analyst” to be one of the top 10 fastest growing occupations over the next decade. Cybersecurity only accounts for 13% of the IT market overall, yet the amount of cybersecurity job postings is three times greater than other IT positions. 

2020 marked a significant shift as remote work became a reality in nearly every industry. This has led to increased cybersecurity needs as companies add numerous devices to their networks to accommodate remote workers. The result? Overworked technology professionals and IT teams. 

Despite the number of open cybersecurity positions, companies are having difficulty finding talent to fill in the gaps. Right now, it’s a workers’ game. Without adjusting to the needs of cybersecurity workers, businesses will be left without and could leave their networks vulnerable to damaging cyber-attacks. 

Tips to keep growing your business during the cybersecurity labor crisis

The past few years have pushed cybersecurity professionals to their limits. In one of the most in-demand industries, they experience heavy workloads, long hours, and limited flexibility. It’s no wonder that technology professionals are burning out and seeking work-from-home opportunities like freelancing, consulting, building their own small businesses, or working for competitors with a better offer. 

To overcome the cybersecurity labor shortage, companies must realign their business models to a customer-centric perspective. Instead of making business decisions purely for profits and productivity, companies should also improve their company cultures to enhance their employees' work experiences. Here are some tips to help you stay ahead of the cybersecurity labor shortage and attract top talent to your organization:

Update your benefits package

Arguably, the first thing businesses should do is update their benefits package. The values of workers have changed since the onset of the pandemic. Cybersecurity professionals now seek flexibility and remote working options that allow them to more efficiently manage their work-life balance. 

Recent surveys reveal the benefits that employees want the most: 

• 95% want better health care benefits
• 71% value retirement benefits
• 50% need family leave benefits
• 29% expect a more flexible work environment

Businesses should also take a look at their compensation and benefits packages. If your competitors offer the same salary with more time off, better 401(k) options, and six months of paid parental leave, you can guess where valued employees might end up. Adjust the salaries of your cybersecurity professionals to reflect the value they bring to your company and open up your company to a broader talent pool. 

Seek out diverse talent

Job experts say that there are plenty of opportunities to bring new talent to tech positions like cybersecurity. The best way to do that is through diversity. DE&I has been a hot topic for organizations in light of recent social movements calling for equality across people of different experiences, races, and genders. But committing to seeking out diverse talent is more than just the right thing to do. It can also be a smart business move for companies that want to grow during the cybersecurity labor shortage. 

Although gender equality in the workplace has come a long way since the 60s, when women couldn’t even open a bank account, only 25% of cybersecurity professionals are women in 2022. 

Even more shocking, only 3% of cybersecurity professionals are Black. Subconscious bias plays a big part in how recruiters evaluate potential candidates, so companies should work toward more equitable recruiting practices. 

Organizations should also look at the diversity represented across their existing teams. Look for crucial skills in historically underrepresented groups such as minorities and people with disabilities. And provide plenty of opportunities for training, advancement and high-level positions for people with diverse identities. 

Leverage third party monitoring and support

Another great way to continue scaling your business is to leverage technology. There are many different types of software and managed services that help businesses maintain their cybersecurity ecosystem without an in-house IT team or to help fill in talent gaps. Digital tools that utilize automation, machine learning, and AI can help reduce the number of tedious processes that workers have to devote time to so that they can focus on higher-value activities. 

A great example of an application that helps mitigate security risks through intuitive tools and automation is Visualping. Website defacement monitoring tool makes it easy to track visual or code changes, as well as monitor links and other sensitive elements on your organization’s website. Instead of cybersecurity personnel monitoring changes 24/7, this streamlined application allows teams to get security alerts through text, email, Slack, and more. 

Invest in professional development

While spending money is the last thing that business owners looking to scale want to do, it is often the best way to ensure that you have all the resources necessary to level up. And when it comes to personnel, your investment can mean the difference between growing or lagging. 

Companies should invest in their current employees just as much as (if not more than) acquiring new talent. By providing education and cross-training for roles in your organization, you can arm yourself against the cybersecurity labor shortage. Programs such as one-on-one coaching, in-house training, and shadowing help your current employees upskill while on the job. And you build a team of talented cybersecurity professionals. 

Professional development is a great way to retain employees and improve their skills simultaneously. Organizations should outline clear career paths for each role and offer competitive compensation to attract driven individuals that are eager to learn. This gives your workers a goal to work towards, as well as builds a sense of ownership and loyalty among employees. 

Partner with higher education

Another great way to stay ahead of the labor shortage and enhance your operations is to develop partnerships with higher education and other industry-related programs. Top companies know this secret to success and consistently offer funding and resources in exchange for a direct funnel into cybersecurity positions. Companies can offer internships, speak at industry events, and recruit at universities to find unique talent that can help scale your business. 

There are many ways that organizations can get involved in the education sector. Look at your competitors and discover the ways that they are encouraging young college students to look into the field of cybersecurity or how you can create a direct funnel of talented individuals to your organization. 

Final thoughts

The demand for, and demands on cybersecurity professionals has left workers burnt-out, tired, and willing to leave their positions to seek out better opportunities on their own. Companies that want to keep growing their business are facing challenges as the cybersecurity workforce dwindles. According to a recent study, 57% of organizations feel the negative impacts of the cybersecurity labor shortage. To attract and retain knowledgeable cybersecurity professionals, companies need to develop new employment models that give workers the things they need to be satisfied and successful. 

The post How to stay ahead of the Cybersecurity labor crisis and keep growing your business appeared first on Cybersecurity Insiders.

Executive summary

AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.

Key takeaways:

• EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
• The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
• Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
• The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)

Background

First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.

According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).

Figure 1. EnemyBot page on Github.

The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:

• Linux based botnets: Tsunami and Gafgyt
• Windows based botnets: DarkIRC, DarkHTTP
• Dual systems: Necro (developed in Python)

Source code analysis

The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).

Figure 2. EnemyBot developer description.

The malware repository on Github contains four main sections:

cc7.py

This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)

Figure 3. Compiling malware source code to macOS executable.

Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.

Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.

enemy.c

This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).

 

Figure 5. EnemyBot source code.

hide.c

This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).

Figure 6. String decode.

servertor.c

Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)

Figure 7. C&C component.

New variant analysis

Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.

In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).

Figure 8. EnemyBot calls for a new function “webscan_xywz”.

To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.

The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:

Figure 9. Exploiting the Log4J vulnerability.

The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).

Figure 10. Exploiting vulnerability in Razar Sila.

Figure 11. Exploiting vulnerability in VMWare Workspace ONE.

EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).

Figure 12. EnemyBot targeting WordPress servers.

In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.

Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.

Figure 13. Executing shell command through LFI vulnerability in DBltek.

In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)

Figure 14. EnemyBot “adb_infect” function to attack Android devices.

After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article). 

Command	Action
SH	Execute shell command
PING	Ping to server, wait for command
LDSERVER	Change loader server for payload.
TCPON	Turn on sniffer.
RSHELL	Create a reverse shell on an infected machine.
TCPOFF	Turn off sniffer.
UDP	Start UDP flood attack.
TCP	Start TCP flood attack.
HTTP	Start HTTP flood attack.
HOLD	Start TCP connection flooder.
TLS	Start TLS attack, start handshake without closing the socket.
STD	Start non spoofed UDP flooder.
DNS	Start DNS flooder.
SCANNER ON | OFF	Start/Stop scanner – scan and infect vulnerable devices.
OVH	Start DDos attack on OVH.
BLACKNURSE	Start ICMP flooder.
STOP	Stop ongoing attacks. kill child processes
ARK	Start targeted attack on ARK: Survivor Evolved video game server.
ADNS	Receive targets list from C&C and start DNS attack.
ASSDP	Start SSDP flood attack.

We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)

CVE Number	Affected devices
CVE-2021-44228, CVE-2021-45046	Log4J RCE
CVE-2022-1388	F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)	Adobe ColdFusion 11 RCE
CVE-2020-7961	Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)	PHP Scriptcase 9.7 RCE
CVE-2021-4039	Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)	Razar Sila – Command injection
CVE-2022-22947	Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954	VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064	Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)	WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)	Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)	WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)	Archeevo 5.0 LFI
CVE-2018-16763	Fuel CMS 1.4.1 RCE
CVE-2020-5902	F5 BigIP RCE
No CVE (vulnerability published on 2019)	ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)	Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075	TOTOLink A3000RU command injection vulnerability
CVE-2015-2051	D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118	ZHOME < S3.0.501 RCE
CVE-2017-18368	Zyxel P660HN – unauthenticated command injection
CVE-2020-17456	Seowon SLR 120 router RCE
CVE-2018-10823	D-Link DWR command injection in various models

Recommended actions

1. Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
2. Enable automatic updates to ensure your software has the latest security updates.
3. Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Conclusion

Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715

4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961) 4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961) 4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961) 2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961) 2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)

2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE) 2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)

2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set) 2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)

2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954) 2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)

4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)

2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1 2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2

2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound 2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound 2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound 2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt

2024916: ET EXPLOIT Netgear DGN Remote Command Execution 2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 2034576: ET EXPLOIT Netgear DGN Remote Code Execution

2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051) 2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)

4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1) 4002327: AV TROJAN Mirai faulty Zyxel exploit attempt 2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE

4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456) 2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456) 2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)

2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)

 

AGENT SIGNATURES

Java Process Spawning Scripting Process

Java Process Spawning WMIC

Java Process Spawning Scripting Process via Commandline (For Jenkins servers)

Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)

Suspicious command executed by a Java listening process (For Linux servers)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
IP ADDRESS	80.94.92[.]38	Malware C&C
SHA256	7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6	Malware hash
SHA256	2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5	Malware hash
SHA256	7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d	Malware hash
SHA256	8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68	Malware hash
SHA256	31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8	Malware hash
SHA256	139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806	Malware hash
SHA256	4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f	Malware hash
SHA256	7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0	Malware hash
SHA256	ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9	Malware hash
SHA256	70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0	Malware hash
SHA256	f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e	Malware hash
SHA256	6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa	Malware hash
SHA256	b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8	Malware hash
SHA256	4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0	Malware hash
SHA256	cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281	Malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access:
  • T1190: Exploit Public-Facing Application
• TA0008: Lateral Movement:
  • T1210: Exploitation of Remote Services
  • T1021: Remote Services
• TA0011: Command and Control
  • T1132: Data Encoding
  • T1001: Data Obfuscation
  • T1030: Proxy:
    • 003: Multi-hop Proxy

The post Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices appeared first on Cybersecurity Insiders.

The partnership between these two market-leading vendors enables MSSPs around the world to fast-track cutting-edge MXDR services.

AT&T, the leader in network and managed security services, and SentinelOne, the leader in next generation, autonomous endpoint protection, today announced a strategic alliance to help prevent cybercrime. The partnership focuses on providing managed security service providers (MSSPs) around the world with a clear path to providing top-tier managed extended detection and response (MXDR) capabilities for customers.

“Managed XDR is a lot different than the conventional detection and response systems in the sense that it enables members of our partner program to build solutions on the platforms their customers already use in order to make the best out of their investments,” says Rakesh Shah, Vice President of Product at AT&T Cybersecurity. “The new alliance combines AT&T USM Anywhere network threat detection capabilities with SentinelOne endpoint protection. Together, these two security platforms provide industry-leading network and endpoint threat detection and response solutions that will enable MSSPs to be successful at providing their end customers with world-class security.”

“AT&T and SentinelOne help MSSPs enter the era of XDR, protecting more surfaces at speeds and scales previously not possible with humans alone. SentinelOne’s autonomous technology coupled with AT&T’s integrated network technologies and services enables MSSPs to reduce risk and boost protection for their customers,” says Mike Petronaci, VP Product at SentinelOne.

The alliance streamlines XDR attainment for partner program members that provide manage security services for a range of organizations. An ideal customer for this MXDR solution would be an MSSP managing small-to-midsized enterprises. Those enterprises may be interested in outsourcing managed cybersecurity services because they do not have the in-house resources to deliver the security results they need. Larger enterprises that do not want to outsource their security completely but are looking for some help could also use this MXDR solution managed by one of our partners.

The tight integration this alliance brings provides MSSP partners with ready access to the award-winning USM Anywhere and SentinelOne platforms. In addition, for MSSPs that acquire SentinelOne endpoint protection through the partner program, AT&T will manage hundreds of additional indicators of compromise through a unique integration within USM Anywhere that streams uniquely tailored security telemetry from the SentinelOne Deep Visibility platform.

The post AT&T Cybersecurity’s Partner Program and SentinelOne enter managed XDR market with robust alliance appeared first on Cybersecurity Insiders.